**Session Date/Time:** 09 Nov 2023 14:00 # CFRG Meeting - IETF 118 Prague ## Summary The CFRG meeting at IETF 118 in Prague covered updates on several active documents, including VDAF, BBS signatures, AED proxy, and new research on AAD properties and a new Verifiable Distributed Aggregation Function (VDAF) called MasTic. Discussions also centered on RSA guidance and batch signatures. Several documents are nearing research group last call. ## Key Discussion Points * **VDAF (Verifiable Distributed Aggregation Function):** Chris presented updates, including optimizations for IDPF, and a move from Shake to Turbo Shake. The editors are considering a couple of breaking changes. Open issues include IN considerations and editorial work. Simon Fee Program questioned the maturity of Poplar compared to Prio and whether multiple implementations are needed. * **BBS Signatures:** Vasilis discussed updates to the draft. The main changes are factoring the draft to separate proof operations and separating main operations into high-level API. He proposed a new proof generation procedure from 2016 SDL. A separate document for blind BBS signatures was proposed. The group asked about specific use cases in mind for blind BBS signatures in the IETF or outside. * **AED (Authenticated Encryption with Associated Data) Proxy:** Andre provided an update on the AED proxy draft. Samuel Lucas helped point out that the draft only covered key commitment before and helped provide a roadmap, and he said that it is really interesting that commitment had different applications. Individuality is a topic being worked on but presents challenges as it's an entirely different approach to defining AED security. * **Impact of Subtle AAD Differences:** Alex presented research on the impact of subtle AAD differences in protocol security, focusing on automated analysis of protocols and limitations of attacker models. * **MasTic (New VDAF):** Dimitris presented MasTic, a new VDAF, focusing on one-hot verifiability and path verifiability to defend against malicious clients. * **RSA Guidance:** Norman talked about the blanket duplication of PKCS 1 version 1.5. New improvements to timing side channel epics, recommendation about, most common leakage sources, and about implicit rejection for the KCS 1 version 15. * **Batch Signatures:** David introduced a draft on batch signatures using Merkel trees to improve throughput, aiming for a generic solution applicable to various signature algorithms. Feedback was requested. ## Decisions and Action Items * **VDAF:** Study the security implications of optimizing IDPF where a little bit of security is sacrificed in more detail. * **BBS Signatures:** Discuss whether blind signature functionality should be a separate document or included in the main draft. * **RSA Guidance:** Contact the chairs to discuss bringing the draft to an adoption call. ## Next Steps * **VDAF:** Editors to continue addressing open issues and seek reviews. * **BBS Signatures:** Reviewers need to review the draft after it's updated to include a new proof generation procedure. * **AED Proxy:** Andre to continue working on differentiability and incorporating feedback on the draft. * **MasTic:** Continue evaluations and full security analysis in a forthcoming paper. The presenters will provide an apples to apples comparison of MasTic vs Poplar. * **Batch Signatures:** Refine the draft and gather use cases. * **Opaque and CPACE:** Start the resource group plus calls really soon.